Careful with Composition: Limitations of the
Indifferentiability Framework

Abstract

We exhibit a hash-based storage auditing scheme which is
provably secure in the random-oracle model (ROM), but easily
broken when one instead uses typical indifferentiable hash
constructions. This contradicts the widely accepted belief that
the indifferentiability composition theorem from Maurer et
al. (TCC 2004) applies to any cryptosystem. We
characterize the uncovered limitations of indifferentiability by
showing that the formalizations used thus far implicitly exclude
security notions captured by experiments that have multiple,
disjoint adversarial stages. Examples include deterministic
public-key encryption (PKE), password-based cryptography, hash
function nonmalleability, and more. We formalize a stronger
notion, reset indifferentiability, that enables a composition
theorem covering such multi-stage security notions, but our
results show that practical hash constructions cannot be reset
indifferentiable. We finish by giving direct security proofs
for several important PKE schemes.